I am working on the code signing aspect of InstallBuilder. Initially I am using signtool for Windows but will also need to sign Mac & Linux .exe & .jar files. I can sign my main install file that I build with InstallBuilder (aka setup.exe). I have read about the postBuildActionList concept, so I can run signtool from there.

I just want to make sure that if I want a customer's final application executable to be signed (MyApp.exe), then I cannot sign it until they have run the setup.exe on their system. Therefore, I need to include a .pfx certificate file as part of the build? And I should probably include the signtool.exe so a customer does not have to install Microsoft SDK themselves? Not sure if signtool.exe depends on other .dlls that would also need to be present.

The .pfx file is password protected so seems like it's OK to distribute it. Can I define it (and signtool.exe) as a hidden file in the customer's install directory so they will not see it?

Please let me know if I am missing something here. I do not see a place when running InstallBuilder where I can sign the MyApp.exe file while building the install package.


asked 23 Aug '13, 12:39

GregHorton's gravatar image

accept rate: 0%

The binaries you are installing (i.e. MyApp.exe) should be signed before building the installer, not at customer site.

The best way to do this is to have the build process of the application also sign it - i.e. if it automated using Makefile, Maven, Ant/NAnt or other build tool, there should be another step to run signtool to sign the DLLs/EXEs.

Similarly for Mac OS X binaries/bundles, the signing should be done at build time (and has to be done on an OS X machine). The process is documented here:


As for signing .jar files, the process is slightly different and is documented here:


Alternatively, same commands can be run to sign the binaries before building the installer in <preBuildActionList>, however it is not recommended as running the signing tools multiple times may lead to binary file size increase over time.


answered 23 Aug '13, 17:04

wojciechka's gravatar image

wojciechka ♦♦
accept rate: 26%

In InstallBuilder, my .jar file is finished and packed with the install package. I was able to use your info to run jarsigner to sign my .jar file. InstallBuilder does something during the customer's installation called "Build Java Launcher", which is when it creates the final MyApp.exe file that I need to sign. I am now packaging the certificate file with the install, running it on the final MyApp.exe then destroying the certificate file. Seems to be working OK.

(25 Aug '13, 00:37) GregHorton

Unfortunately it is not possible to sign the Java launchers created by InstallBuilder.

Could you send your project to support@bitrock.com and we will check if it is possible to build the Java launcher separately, then sign and package it as part of the installer.

As for the method you have mentioned of signing it during installation is not recommended - you are shipping your certificates, which in turn may allow someone to get them and use them to sign any software (i.e. malicious software).

(26 Aug '13, 07:13) wojciechka ♦♦

I am able to sign the Java Launcher binary fine if I do not sign the main install.exe file, or regardless of main install signing if runInConsole=1. I would think that this would be a common scenario. Thanks

(26 Aug '13, 09:07) GregHorton
Your answer
toggle preview

Follow this question

By Email:

Once you sign in you will be able to subscribe for any updates here



Answers and Comments

Markdown Basics

  • *italic* or _italic_
  • **bold** or __bold__
  • link:[text](http://url.com/ "title")
  • image?![alt text](/path/img.jpg "title")
  • numbered list: 1. Foo 2. Bar
  • to add a line break simply add two spaces to where you would like the new line to be.
  • basic HTML tags are also supported



Asked: 23 Aug '13, 12:39

Seen: 4,393 times

Last updated: 26 Aug '13, 09:08